SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-614 Insecure Cookie in HTTPS Session

Coverage: 8 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 7Other-pattern 1 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged session cookies that are missing secure attributes (like Secure, HttpOnly, and a safe SameSite) even though the session is used over HTTPS.

Why it matters

Safer examples

1) Set Secure, HttpOnly, and SameSite

res.cookie("session", token, {
  httpOnly: true,
  secure: true,
  sameSite: "lax",
});

2) Rotate sessions on login and privilege changes

If a session is stolen, rotation reduces the window and prevents fixation.

3) Prefer short sessions + revocation

Give users/admins the ability to revoke sessions, and use reasonable expirations (see TOK01).

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.